Notices by Josh Bressers (joshbressers@infosec.exchange), page 2

@wdormann I use the nvd data. It looks like they added some things today, yeah

@b00ga Thanks! It was a fun webinar

@kurtseifried I've never bothered to figure this out

Maybe some sort of alliance with a focus on cloud security could do it :)

Looks like #NVD has stopped enriching #CVE again. So that's neat

@liw @hdm why not both :)

@david @kurtseifried in glad we could help!

@sjvn @TheNewStack

This is pretty awesome, well done @ariadne

Posted without comment

@djotaku it’s still ongoing, but I look forward to making it happen

I appreciate the pointer!

I came home and now my Yubikey is held together with some tape. Is this OK?

#askingforafriend

I was in a meeting today and I realized something profound

We are currently in a post #CVE world

That probably don’t make sense to a lot of people, and I need to think about it more

But here’s the basics of it

The CVE data is so comically bad, nobody actually doing #vulnerability work can use it. The ID is all we use. We have to look in other databases and collect or own facts

Automated tools rely on sources like #GitHub, #GitLab, and #OSV. Other than the ID, CVE doesn’t really matter anymore

I fixed the XKCD open source cartoon to be more accurate

@silverwizard @BleepingComputer Oh my goodness. I'm totally stealing that quote

"these bugs are a tradition"

OK, I want to rant about something for a bit

This story from @BleepingComputer cover the topic of top most dangerous #security #vulnerabilities from 2021/2022

https://www.bleepingcomputer.com/news/security/mitre-releases-new-list-of-top-25-most-dangerous-software-bugs/

The problem isn't the story, the story is good

The problem is these lists

MITRE is a group that runs #CVE, the host the MITRE ATT&CK framework, #CWE is under their umbrella, and countless other things related to security

#OWASP has a similar list and they are considered one of the primary authorities on secure development

And what do these lists show us? That nothing changes. The lists are the same every year. A few things might move around, but functionally we have the same security problems we did a decade ago, heck, 20 years ago.

These are groups that can hand out advice that will be followed, and what do they give us? Nothing of substance

The secret is because they have no idea how to change anything

I think there are two overly simplistic ways to look at this

First, we have the security the free market demands. There's nothing to fix, these lists are all stupid and pointless. It's just ego stroking for organizations that don't actually matter but want to pretend they are relevant.

OR

The people running these groups have no idea what to do. Many haven't written a line of code in over a decade, and rather than try to work with the next generation, they make lists and complain

I have no grand solution, I'm just complaining. And I'm old. So clearly I fit in the second category. Thank you for coming to my conference talk. I should probably go make a list now

Today I had the pleasure of going through the #rust training @liw offers

I was really impressed by it all. If your company is looking for some Rust training, this is a great option

https://liw.fi/training/rust-basics/